As a security-focused person, I enjoy learning new tooling, following industry trends, and understanding emerging risks. I understand security principles, know the context of my role, and apply them to my daily working life – however, that’s my job.
When it comes to businesses, we often remind them to focus on their core competencies – hire third parties to mind that which falls outside where possible. But why then, do we expect non-security and even non-technical persons to know absolutely everything about security, without proper training or motivation to care? It isn’t their core competency.
People First for a Reason
Security is people, process, and technology; but it’s people first for a reason. if you want workflows to change, if you want the culture to align with security by design – you have to work with and communicate effectively to the people you’re expecting this from.
Whilst many vendors will say “users are the weakest link” when discussing how their product will revolutionize how we approach security. There are few who understand that users can actually be an organization’s greatest security asset. This is because users know their job, they know what’s normal and can quickly identify something out of the ordinary. Properly trained users, who understand the “why” of security, will enhance your posture more than almost any tooling out there. Layer on top effective processes and controls that work with the people, and that is how you build a culture of security by design.
When the vendors know how to do security right, they start with the people – what does success look like for them? Hint, it’s embedded security throughout that reduces effort and becomes natural. Take for example the critical piece of every workflow: authentication.
Keeper Security and Authentication
Authentication is the bane of many. Simply mentioning passwords can cause people to tune out of the entire conversation. Frustratingly, the password policies themselves vs what actually works are often not aligned.
How then, can we make the authentication process more secure, without impacting workflows? Keeper Security[JP1] covered this brilliantly, during their Security Field Day 7’s presentation. What does success look like for their consumers:
- Users: easy to use, works across devices and offline, accessible.
- Technical Team: GUI and CLI capable, fully auditable, integrates into existing tooling, SSO Connect, decryption on the device – zero-knowledge architecture.
- Business and compliance: choose region data is stored aligning with regulatory needs, ability to restrict offline mode if required, cost-effective, and scalable.
- Personal account: with your enterprise account, you have a free separate personal account, tied to a personal email – so you can migrate to personal easily if you leave the organization. Trusted contacts for emergency access.
How does this improve the overall authentication workflow? Users are provided with the ability to use generated passwords – which is a more secure option as it’s unique and not easily guessable. They can securely share resources for more than just passwords, so no more credentials in email, and click to login when using a native client. There is also the feature for notification if found in a breach, so password rotation only needs to happen when it’s found to be compromised.
Clearly, the developers of Keeper Security understand the need to prioritize the user experience to effectively provide embedded security within workflows. The reality is, we are not at a place where passwords will be completely removed from our workflows; if you ask password enthusiast Per Thorsheim, that day will never come.
However, ensuring our environments are secure by making our authentication workflow easy for the users, is one major aspect of secure by design environment. Keeper Security has proven that this can be achieved in an Enterprise environment.
If you want to hear everything discussed, please watch the video here, or visit their website.
Additionally, see my disclosure here regarding writing from Tech Field Day events.